North Korean-linked group Konni (Opal Sleet, TA406) is deploying AI-generated PowerShell backdoors to target developers and engineers in the blockchain sector across the Asia-Pacific region. The campaign uses Discord-hosted lures, LNK/DOCX/CAB loaders, UAC bypasses, scheduled tasks, and XOR-encrypted in-memory execution to maintain persistence and execute C2-issued code. #Konni #PowerShell
Keypoints
- Konni (Opal Sleet/TA406) is deploying AI-generated PowerShell backdoors targeting blockchain developers and engineers.
- Initial access is delivered via Discord-hosted links that drop ZIP archives containing a PDF lure and a malicious LNK shortcut.
- The LNK launches a PowerShell loader that extracts a DOCX document and a CAB archive with a backdoor, batch files, and a UAC bypass.
- Persistence and evasion are achieved using scheduled tasks, XOR-encrypted scripts, in-memory execution, and self-deleting routines.
- Check Point links the campaign to Konni based on launcher formats and execution-chain overlaps and has published IoCs for defenders.